XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.0 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
customDetails:
AssetId: AssetId
FindingName: FindingName
Mitigations: Mitigations
CreatedAt: CreatedAt
OrganizationId: OrganizationId
Severity: Severity
FindingId: FindingId
AssetName: AssetName
State: State
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
name: XbowCriticalHighFindings
queryPeriod: 1h
requiredDataConnectors:
- connectorId: XbowSecurityConnector
dataTypes:
- XbowFindings_CL
- XbowAssets_CL
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities: []
reopenClosedIncident: false
groupByCustomDetails:
- FindingId
matchingMethod: Selected
enabled: true
lookbackDuration: 24h
groupByAlertDetails: []
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1190
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: StartUrl
severity: High
kind: Scheduled
triggerThreshold: 0
triggerOperator: gt
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
status: Available
queryFrequency: 30m
alertDetailsOverride:
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.